Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - rk_doubt

Pages: [1]
1
RogueKiller / Re: Pre-scan block & maybe false positive
« on: March 27, 2015, 11:00:29 AM »
Quote from: Curson on March 26, 2015, 02:44:01 PM
Hi rk_doubt,

Welcome to Adlice.com Forum.

Thank you Curson, really enjoy your kindness.
 
Quote from: Curson on March 26, 2015, 02:44:01 PM
Quote from: rk_doubt
On W7 work flawlessly despite found some false positive red threats associated with a

detect program (for updating) of producer brand of pc
Could you please post the report you obtained ? We strive to fix as many false postives as possible.

I'm sorry, but now can't physically access to it (a friend laptop) but i rember it was sure about Dell, something like Dell Detect.

Quote from: Curson on March 26, 2015, 02:44:01 PM

Quote from: rk_doubt
I've tried with portable and installer version but either stuck on pre-scan and you can't

help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)
Could you please relaunch RogueKiller in normal mode using option -nokill ?
If you need help with the programm, please refer to

RogueKiller Official

tutorial.

I'd like to try but in the RogueKiller can't find this option just because after 2-3 second it stuck and i must reboot.

Quote from: Curson on March 26, 2015, 02:44:01 PM


Quote
[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato
This driver is certainly legit. However, we are going to double-check.

Quote from: Curson on March 26, 2015, 02:44:01 PM
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Additionally, zip the following directory :
Quote
C:\TDSSKiller

That's it https://www.sendspace.com/file/7t37nb

but i can't find the TDSSKiller folder in C:\

Thank you for your support!

2
RogueKiller / Pre-scan block & maybe false positive
« on: March 26, 2015, 11:41:16 AM »
hi fellows thanks in advance for your advanced program.
I would like to give my feedback on, so started on 2 different S.O.

On W7 work flawlessly despite found some false positive red threats associated with a detect program (for updating) of producer brand of pc

On XP Sp3:

1) very hard just to start it. I've tried with portable and installer version but either stuck on pre-scan and you can't help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)
So re-launch it in safe mode and finally it works.


2) At the end of scan i've found this log
Code: [Select]
RogueKiller V10.5.7.0 [Mar 22 2015] di Adlice Software
posta : http://www.adlice.com/contact/
Commenti : http://forum.adlice.com
Sito Web : http://www.adlice.com/softwares/roguekiller/
Discussione : http://www.adlice.com

Sistema Operativo : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Iniziato in : Modalità Sicura
Utente : utente [Amministratore]
Iniziato da : C:\Documents and Settings\utente\Documenti\Downloads\RogueKiller.exe
Modalità : Scansione -- Data : 03/25/2015  23:08:47

¤¤¤ Processi : 0 ¤¤¤

¤¤¤ Registro : 5 ¤¤¤
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Trovato
[PUM.StartMenu] HKEY_USERS\S-1-5-21-484763869-602162358-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_W_4B42\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_W_4B42\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato

¤¤¤ Attività : 0 ¤¤¤

¤¤¤ Archivi : 1 ¤¤¤
[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato

¤¤¤ Archivio Hosts : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Non caricato [0x2]) ¤¤¤

¤¤¤ Web Browser : 0 ¤¤¤

¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: Maxtor 6Y080L0 +++++
--- User ---
[MBR] 6e95574ecc03410bedb2dfebc9fb683a
[BSP] 2463887d4bc98492808f76efcdfccc69 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 51199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104856255 | Size: 26960 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!

+++++ PhysicalDrive1: MAXTOR 6L020J1 +++++
--- User ---
[MBR] ad5c0416b8b175b3dbd8f285eb57d39c
[BSP] f261d79ad119592be851ba6b5bd2211b : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 19594 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!


It seems that CDUDF.SYS was the problem (also MBAR reported it as forged and deleted) but at every boot it reappears.
i've analyzed it with lot of programs also on virustotal, you can watch https://www.virustotal.com/it/file/0ef441ac9d748ad2d5b916ae6a79c5faa6fc6b7513144f1c6578635d633cfc87/analysis/1427364566/ here but everything seems good.

Can you tell me how can resolve the block in normal mode launch and if you can guarantee there's not any problem on that log?

Pages: [1]